A months-long investigation by Microsoft has uncovered nearly 400,000 compromised systems and led to the suspension, takedown, or blocking of approximately 2,300 domains associated with the Lumma infostealer malware.
At the same time, the US Department of Justice (DOJ) effectively seized control of Lumma’s command infrastructure — significantly disrupting efforts by hackers to sell the tool to other cybercriminals.
Lifting the lid on Lumma
First detected in mid-2022, the Lumma infostealer malware — also known as LummaC2 — has been infecting Windows-based PCs and laptops. Marketed as a malware-as-a-service (MaaS) platform, it is openly sold and distributed to other malicious actors, and it’s primarily used to steal the sensitive data of unsuspecting users.
While Lumma is generally focused on stealing cryptocurrency seed phrases, it’s also capable of targeting other types of data including:
- General web browser data.
- Saved autofill data.
- Saved login credentials, particularly those for email and financial services.
Authorities have identified more than 1.7 million instances of data theft using Lumma, according to the latest reports.
A recent blog by Steven Masada with Microsoft’s Digital Crimes Unit stated: “On Tuesday, May 13, Microsoft’s DCU filed a legal action against Lumma Stealer (“Lumma”), which is the favored info-stealing malware used by hundreds of cyber threat actors. Lumma steals passwords, credit cards, bank accounts, and cryptocurrency wallets and has enabled criminals to hold schools for ransom, empty bank accounts, and disrupt critical services.”
Sizing up the infection
Although Lumma infections are most prevalent in the European Union, the malicious software has also been detected in large portions of the United States, eastern Africa, Japan, and many other regions.
The joint operation between Microsoft’s DCU and the DOJ has dealt a significant blow to the cybercriminals behind Lumma; including the suspected creator who goes by the handle of Shamel. Other involved agencies include the FBI, the National Security Cyber Section with the U.S. National Security Division, and the U.S. Attorney’s Office with the Northern District of Texas.
Protecting data from hackers and malware
As malware tools continue to evolve in complexity, users are advised to take the following precautions to reduce their risk of infections:
- Keep operating systems and web browsers up to date.
- Use strong, unique passwords for each login.
- Download software only from trusted, verified sources.
As cybercriminal networks grow more advanced, coordinated public-private actions like this signal a critical step forward in defending global digital infrastructure.
